A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.
Kuryr implements network policies by creating a security group for each policy and several rules into it depending on the network policy spec.
To enable network policies in kuryr, several handlers must be enabled:
- The namespace handler to create a Neutron Network per namespace
- The policy handler that is in charge of acting upon network policy CRUD actions
- The pod_label handler that reacts to changes in pod labels that are referred by NPs
- The kuryrnetpolicy handler that keeps track of kuryr CRDs associated to NPs
DescriptionAntoni Segura Puimedon
2017-10-19 13:39:25 UTC
Description of problem:
In order to implement security in OpenShift cluster namespaces, there is the NetworkPolicy object which allows you to define ingress and egress policies that apply to a selector, i.e., a set of pods that share one or more labels.
Kuryr only supports security by means of specifying the Security Groups that apply to the Pods but not this native OpenShift way.
This feature request is about closing this feature gap and allowing users to leverage the power of NetworkPolicy objects and have them transparently mapped to security groups.
Steps to Reproduce:
1. Create a NetworkPolicy object
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
2. Create a neutron network and subnet 172.17.0.0/16 and place a VM there
3. Attache the subnet to the openshift cluster router
4. oc run --image=celebdor/kuryr-demo --labels="tier=backend"
5. oc get po
6. from the VM at 172.17.0.0/16 curl the IP of the pod with port 8080
Actual results:
No response from the pod due to Security Groups
Expected results:
THe network policy is translated to security group changes to the matching pods and the response of the Pod HTTP server makes it back to the VM.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2019:2811
Description of problem: In order to implement security in OpenShift cluster namespaces, there is the NetworkPolicy object which allows you to define ingress and egress policies that apply to a selector, i.e., a set of pods that share one or more labels. Kuryr only supports security by means of specifying the Security Groups that apply to the Pods but not this native OpenShift way. This feature request is about closing this feature gap and allowing users to leverage the power of NetworkPolicy objects and have them transparently mapped to security groups. Steps to Reproduce: 1. Create a NetworkPolicy object apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: backend policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978 2. Create a neutron network and subnet 172.17.0.0/16 and place a VM there 3. Attache the subnet to the openshift cluster router 4. oc run --image=celebdor/kuryr-demo --labels="tier=backend" 5. oc get po 6. from the VM at 172.17.0.0/16 curl the IP of the pod with port 8080 Actual results: No response from the pod due to Security Groups Expected results: THe network policy is translated to security group changes to the matching pods and the response of the Pod HTTP server makes it back to the VM.